feat(app): add 'Remove Device' menu on Devices tab

* feat(app): add 'Remove Device' menu on Devices tab

* feat(api): define DELETE endpoint to remove single device agent

* feat(app): integrate remove-device endpoint on Devices tab

* fix(api): set permission to remove-device-agent endpoint

* fix(app): use people action hook for agent device removal

---------

Co-authored-by: chasprowebdev <chasgarciaprowebdev@gmail.com>
Co-authored-by: chasprowebdev <70908289+chasprowebdev@users.noreply.github.com>

Author: github-actions[bot]

apps/api/src/devices/devices.controller.spec.ts

@@ -38,6 +38,7 @@ describe('DevicesController', () => {
     findAllByOrganization: jest.fn(),
     findAllByMember: jest.fn(),
     getMemberById: jest.fn(),
+    removeDeviceById: jest.fn(),
   };
 
   const mockGuard = { canActivate: jest.fn().mockReturnValue(true) };
@@ -202,4 +203,28 @@ describe('DevicesController', () => {
       ).rejects.toThrow('FleetDM unavailable');
     });
   });
+
+  describe('deleteDevice', () => {
+    it('should call service removeDeviceById with org, device, and user', async () => {
+      mockService.removeDeviceById.mockResolvedValue(undefined);
+
+      await controller.deleteDevice('dev_1', 'org_1', mockAuthContext);
+
+      expect(service.removeDeviceById).toHaveBeenCalledWith({
+        organizationId: 'org_1',
+        deviceId: 'dev_1',
+        userId: 'usr_1',
+      });
+    });
+
+    it('should propagate service errors', async () => {
+      mockService.removeDeviceById.mockRejectedValue(
+        new Error('Only organization owners can remove devices'),
+      );
+
+      await expect(
+        controller.deleteDevice('dev_1', 'org_1', mockAuthContext),
+      ).rejects.toThrow('Only organization owners can remove devices');
+    });
+  });
 });

apps/api/src/devices/devices.controller.ts

@@ -1,4 +1,4 @@
-import { Controller, Get, Param, UseGuards } from '@nestjs/common';
+import { Controller, Delete, Get, HttpCode, Param, UseGuards } from '@nestjs/common';
 import {
   ApiOperation,
   ApiParam,
@@ -220,4 +220,41 @@ export class DevicesController {
         }),
     };
   }
+
+  @Delete(':id')
+  @RequirePermission('member', 'delete')
+  @HttpCode(204)
+  @ApiOperation({
+    summary: 'Delete device',
+    description:
+      'Deletes a single device in the authenticated organization. Only organization owners can delete devices.',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Device ID to delete',
+    example: 'dev_abc123def456',
+  })
+  @ApiResponse({
+    status: 204,
+    description: 'Device deleted successfully',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - only organization owners can delete devices',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Organization or device not found',
+  })
+  async deleteDevice(
+    @Param('id') id: string,
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+  ): Promise<void> {
+    await this.devicesService.removeDeviceById({
+      organizationId,
+      deviceId: id,
+      userId: authContext.userId,
+    });
+  }
 }

apps/api/src/devices/devices.service.spec.ts

@@ -0,0 +1,134 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { ForbiddenException, NotFoundException } from '@nestjs/common';
+import { db } from '@db';
+import { FleetService } from '../lib/fleet.service';
+import { DevicesService } from './devices.service';
+
+jest.mock('@db', () => ({
+  db: {
+    organization: { findUnique: jest.fn() },
+    member: { findFirst: jest.fn() },
+    device: { deleteMany: jest.fn() },
+  },
+}));
+
+describe('DevicesService', () => {
+  let service: DevicesService;
+
+  const mockFleetService = {
+    getHostsByLabel: jest.fn(),
+    getMultipleHosts: jest.fn(),
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        DevicesService,
+        { provide: FleetService, useValue: mockFleetService },
+      ],
+    }).compile();
+
+    service = module.get<DevicesService>(DevicesService);
+    jest.clearAllMocks();
+  });
+
+  describe('removeDeviceById', () => {
+    it('throws when organization does not exist', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue(null);
+
+      await expect(
+        service.removeDeviceById({
+          organizationId: 'org_missing',
+          deviceId: 'dev_1',
+          userId: 'usr_1',
+        }),
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it('throws when user id is missing', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+
+      await expect(
+        service.removeDeviceById({
+          organizationId: 'org_1',
+          deviceId: 'dev_1',
+        }),
+      ).rejects.toThrow(ForbiddenException);
+    });
+
+    it('throws when user is not a member of organization', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+      (db.member.findFirst as jest.Mock).mockResolvedValue(null);
+
+      await expect(
+        service.removeDeviceById({
+          organizationId: 'org_1',
+          deviceId: 'dev_1',
+          userId: 'usr_1',
+        }),
+      ).rejects.toThrow('User is not a member of this organization');
+    });
+
+    it('throws when member is not an owner', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+      (db.member.findFirst as jest.Mock).mockResolvedValue({
+        role: 'admin',
+      });
+
+      await expect(
+        service.removeDeviceById({
+          organizationId: 'org_1',
+          deviceId: 'dev_1',
+          userId: 'usr_1',
+        }),
+      ).rejects.toThrow('Only organization owners can remove devices');
+    });
+
+    it('throws when device does not exist in organization', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+      (db.member.findFirst as jest.Mock).mockResolvedValue({
+        role: 'owner',
+      });
+      (db.device.deleteMany as jest.Mock).mockResolvedValue({ count: 0 });
+
+      await expect(
+        service.removeDeviceById({
+          organizationId: 'org_1',
+          deviceId: 'dev_missing',
+          userId: 'usr_1',
+        }),
+      ).rejects.toThrow(NotFoundException);
+    });
+
+    it('deletes device when caller is owner', async () => {
+      (db.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+      (db.member.findFirst as jest.Mock).mockResolvedValue({
+        role: ' employee , owner ',
+      });
+      (db.device.deleteMany as jest.Mock).mockResolvedValue({ count: 1 });
+
+      await service.removeDeviceById({
+        organizationId: 'org_1',
+        deviceId: 'dev_1',
+        userId: 'usr_1',
+      });
+
+      expect(db.device.deleteMany).toHaveBeenCalledWith({
+        where: {
+          id: 'dev_1',
+          organizationId: 'org_1',
+        },
+      });
+    });
+  });
+});

apps/api/src/devices/devices.service.ts

@@ -1,4 +1,9 @@
-import { Injectable, NotFoundException, Logger } from '@nestjs/common';
+import {
+  Injectable,
+  NotFoundException,
+  Logger,
+  ForbiddenException,
+} from '@nestjs/common';
 import { db } from '@db';
 import { getDeviceComplianceStatus } from '@trycompai/utils/devices';
 import { FleetService } from '../lib/fleet.service';
@@ -175,6 +180,66 @@ export class DevicesService {
     }
   }
 
+  async removeDeviceById({
+    organizationId,
+    deviceId,
+    userId,
+  }: {
+    organizationId: string;
+    deviceId: string;
+    userId?: string;
+  }): Promise<void> {
+    const organization = await db.organization.findUnique({
+      where: { id: organizationId },
+      select: { id: true },
+    });
+
+    if (!organization) {
+      throw new NotFoundException(
+        `Organization with ID ${organizationId} not found`,
+      );
+    }
+
+    if (!userId) {
+      throw new ForbiddenException('Only organization owners can remove devices');
+    }
+
+    const member = await db.member.findFirst({
+      where: {
+        userId,
+        organizationId,
+        deactivated: false,
+      },
+      select: { role: true },
+    });
+
+    if (!member) {
+      throw new ForbiddenException('User is not a member of this organization');
+    }
+
+    const memberRoles = member.role
+      .split(',')
+      .map((role) => role.trim().toLowerCase());
+    const isOwner = memberRoles.includes('owner');
+
+    if (!isOwner) {
+      throw new ForbiddenException('Only organization owners can remove devices');
+    }
+
+    const deleteResult = await db.device.deleteMany({
+      where: {
+        id: deviceId,
+        organizationId,
+      },
+    });
+
+    if (deleteResult.count === 0) {
+      throw new NotFoundException(
+        `Device with ID ${deviceId} not found in organization ${organizationId}`,
+      );
+    }
+  }
+
   // --- Private helpers ---
 
   private async getFleetDevicesForOrg(